kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity
moby--moby/docs/security/apparmor.md
Eric Windisch 3edc88f76d Restore AppArmor profile generation 
Will attempt to load profiles automatically. If loading fails
but the profiles are already loaded, execution will continue.

A hard failure will only occur if Docker cannot load
the profiles *and* they have not already been loaded via
some other means.

Also introduces documentation for AppArmor.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-07-28 17:45:51 -04:00

45 lines
1.5 KiB
Markdown
Raw Blame History

AppArmor security profiles for Docker
--------------------------------------
AppArmor (Application Armor) is a security module that allows a system
administrator to associate a security profile with each program. Docker
expects to find an AppArmor policy loaded and enforced.
Container profiles are loaded automatically by Docker. A profile
for the Docker Engine itself also exists and is installed
with the official *.deb* packages. Advanced users and package
managers may find the profile for */usr/bin/docker* underneath
[contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)
in the Docker Engine source repository.
Understand the policies
------------------------
The `docker-default` profile the default for running
containers. It is moderately protective while
providing wide application compatability.
The `docker-unconfined` profile is intended for
privileged applications and is the default when runing
a container with the *--privileged* flag.
The system's standard `unconfined` profile inherits all
system-wide policies, applying path-based policies
intended for the host system inside of containers.
This was the default for privileged containers
prior to Docker 1.8.
Overriding the profile for a container
---------------------------------------
Users may override the AppArmor profile using the
`security-opt` option (per-container).
For example, the following explicitly specifies the default policy:
```
$ docker run --rm -it --security-opt apparmor:docker-default hello-world
```
View git blame Copy permalink